Wednesday, October 29, 2014

Cyber Threat Marketing and Political Expediency: STOP THE MADNESS

FireEye's APT28 report is the latest in a series of glossy marketing white papers which claim to reveal the workings of "state-sponsored actors", in this case from Russia. The paper fails to prove its claim of state-sponsorship (a confusing term that the FireEye report never defines) and evidences a few other bad habits described below.

However none of that really matters because Russia is currently on the White House's shit list, it's being hammered by sanctions, and the Kremlin has shown itself over the years to be more than willing to let its very talented hacker population engage in cyber attacks against its political enemies without repercussion.

Last year when Mandiant came out with its APT1 report about China, guess who was on the White House's shit list then?

From a marketing perspective, you can say-hint-imply-presume whatever you want. Proof is irrelevant. What counts is that the political interests of the U.S. and other western nations correspond with the marketing interests of cyber security companies. Timing - as Hesiod said - is everything.

However, even if the raw commercialism of this strategy doesn't bother you or is at least forgivable because after all FireEye and all of its competitors are for-profit enterprises, the report's authors have made some awful decisions in their analytic method.

Cherry-Picking The Evidence

"APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.They do indicate parallel areas of interest to many governments and do not run counter to Russian state interests."

In other words, we've just included the evidence that supports our theory and excluded the evidence that doesn't. That's precisely the kind of bad analysis that's behind every intelligence failure that has ever happened.

Calling Low Level Attacks "Sophisticated"

"Russia has long been a whispered frontrunner among capable nations for performing sophisticated network operations. This perception is due in part to the Russian government’s alleged involvement in the cyber attacks accompanying its invasion of Georgia in 2008, as well as the rampant speculation that Moscow was behind a major U.S. Department of Defense network compromise, also in 2008. These rumored activities, combined with a dearth of hard evidence, have made Russia into something of a phantom in cyberspace."

Speaking as someone who's been researching Russian information warfare practices and, more importantly, its ongoing research and development in information security, I can tell you that the SQL attacks against Georgian government websites during the 2008 war were not even close to "sophisticated". Same with the 2008 DOD breach. Remember that when you have to explain to your boss that some unemployed Russian kid Russian "state-sponsored" actors stole everything you own, it better be because it was "highly sophisticated".

Unfortunately for myself and others who take a skeptical or even cynical view to every public report of a "sophisticated state-sponsored" attack, the reporting agency or corporation never shares their raw data. And whatever is shared is scrubbed.

APT28 isn't a Person or Persons. It's a Thing

Cyber security companies that monitor networks and threat actors rely almost exclusively upon technical attributes when they establish a "group". It's not like a street gang unit at your local PD that can tell you the gangs that operate in an area, who the members are and where they go when they leave. They don't who the members are, or how many there are, or what nationality they are, or who they're working for, or how long they stay before moving on. Visit ZoneH.org and pick any hacker group that does high-profile defacements. Do a search by group name and find one with a history spanning just one year. Start with the earliest defacement and add the aliases of the group's members to a spreadsheet. Jump ahead a few months and check to see if the names have changed. Jump ahead a year. Members come and go, and when they go they take with them the tools and resources that they are comfortable with using. Or perhaps they'll discover new tools with a different group and in a few months, jump again - this time with different TTPs than they had a year ago. Are they still "APT28"?

"Stop The Madness"

To quote Mr. Wonderful, "STOP THE MADNESS!" Reports like these cannot be trusted to give a factual assessment of the real-world capabilities of any government's activities with their resident hacker populations. And they positively do not reflect the capabilities of any government's security services.

They are (1) a way to gain market share through garnering headlines and (2) a way to gain favor or secure contracts with government agencies who are catering to their customer - the Executive Office of the President.